b' Office of Inspector General\n     Audit Report\n\n\n\nFAA\xe2\x80\x99S CIVIL AVIATION REGISTRY LACKS\n INFORMATION NEEDED FOR AVIATION\n  SAFETY AND SECURITY MEASURES\n       Federal Aviation Administration\n\n        Report Number: FI-2013-101\n        Date Issued: June 27, 2013\n\x0c           U.S. Department of\n                                                                     Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Report: FAA\xe2\x80\x99s Civil Aviation Registry                                         Date:     June 27, 2013\n           Lacks Information Needed for Aviation Safety and\n           Security Measures\n           Report Number FI-2013-101\n\n  From:    Louis King                                                                         Reply to\n                                                                                              Attn. of:    JA-20\n           Assistant Inspector General for Financial and\n             Information Technology Audits\n\n    To:    Federal Aviation Administrator\n\n           As part of the Federal Aviation Administration\xe2\x80\x99s (FAA) safety mission, its Flight\n           Standards Service 1 (AFS) maintains the Civil Aviation Registry to ensure that\n           unqualified aircraft owners and airmen 2 do not receive aircraft registrations or\n           licenses. FAA uses the Registry to process and maintain ownership registrations\n           on 350,000 3 private and commercial aircraft and records on pilots\xe2\x80\x99 licenses. The\n           Registry, which contains personally identifiable information (PII), also serves as a\n           source of information for other Government agencies, including those responsible\n           for homeland security and investigations of aviation accidents and other incidents.\n\n           We initiated this audit because of congressional concerns over aviation safety and\n           the security of the information that FAA maintains in the Registry. Our objectives\n           were to determine whether (1) aircraft registrations and pilot certifications include\n           the information needed for FAA to ensure aviation safety, (2) security controls\n           keep the Registry secure from unauthorized access, and (3) contingency plans are\n           sufficient to recover the Registry system in the event of an emergency.\n\n           To conduct our work, we interviewed officials from FAA\xe2\x80\x99s Flight Standards\n           Service and Aviation Safety Office of Quality, Integration, and Executive\n           Services. We reviewed laws governing aircraft registration and pilot certification\n           and examined FAA\xe2\x80\x99s policies and procedures on the Registry\xe2\x80\x99s operations. We\n           1\n             AFS promotes safe air transportation by setting standards for certification and oversight of pilots; air carriers including\n           major airlines, regional carriers and cargo carriers; flight schools and training centers; and management of the\n           information systems of record for pilots and all civil aircraft.\n           2\n             Individuals certified by FAA\xe2\x80\x99s Airman Certification Branch under 14 CFR Aeronautics and Space \xc2\xa7 61, 63 and 65.\n           3\n             The number of U.S. civil aircraft registered as of August 2012.\n\x0c                                                                                                                          2\n\n\nalso assessed FAA\xe2\x80\x99s compliance with Department of Transportation (DOT) policy\non maintenance of information systems\xe2\x80\x99 confidentiality and availability. We\nconducted this audit between January 2011 and April 2013 in accordance with\ngenerally accepted Government auditing standards. Exhibit A further details our\nscope and methodology.\n\nBACKGROUND\n\nAFS manages the Registry\xe2\x80\x94located in Oklahoma City, Oklahoma\xe2\x80\x94which\nconsists of two databases, one on aircraft and the other on airmen. For aircraft,\nAFS accepts applications for and maintains permanent records on the registrations\nof all civil aircraft. Title 14 (Aeronautics and Space) of the Code of Federal\nRegulations (CFR) requires the application to include the aircraft\xe2\x80\x99s make, model,\nand serial number; the applicant\xe2\x80\x99s permanent address; and documentary proof\xe2\x80\x94\nsuch as title of ownership or bill of sale\xe2\x80\x94that the applicant owns the aircraft. Each\napplicant for registration must also certify that he or she is a citizen of the United\nStates and that the aircraft is not registered under the laws of any other country.\nAFS reviews each applicant\xe2\x80\x99s information and issues Certificates of Aircraft\nRegistration to applicants who meet requirements. 4\n\nFAA regulations also allow the registration of aircraft owned under trusts, 5 which\nallow non-U.S. citizens to have their aircraft registered on FAA\xe2\x80\x99s Registry. To do\nthis, an aircraft owner will create a trust agreement that transfers the aircraft\xe2\x80\x99s title\nto an American trustee. The trustee, who may be an individual or organization,\nwill register the aircraft under his/her or its name. The agreement will also identify\nthe beneficiary or person who can use the aircraft. The owner and the beneficiary\nare frequently the same person.\n\nIn July 2010, to ensure that aircraft owners provide accurate information for\nRegistry records, FAA issued a rule on aircraft re-registration 6 and registration\nrenewal. The rule requires the re-registration of all civil aircraft by\nDecember 31, 2013, and enables FAA to cancel the registrations of aircraft that\nare not re-registered by this date. After initial re-registration, all aircraft\nregistrations must be renewed every 3 years.\n\n\n\n4\n  Title 14, Section 47.5 of the CFR actually states that the Certificate of Aircraft Registration is issued \xe2\x80\x9cto the person\nwho appears to be the owner\xe2\x80\x9d (emphasis added) of the aircraft.\n5\n  A trust is a legal entity created by one party, the owner and trustor, through which a second party, the trustee, holds the\ntitle to the trustor\'s assets or property for the benefit of a third party, the beneficiary. The trustor/owner may also be a\ntrustee and/or one of the beneficiaries.\n6\n  Re-registration will take place between October 1, 2010, and December 31, 2013. All owners are required to re-\nregister by predetermined quarterly dates based on the month of original registration. First-time registrations issued on\nor after October 1, 2010, also expire after 3 years.\n\x0c                                                                                                           3\n\n\nCFR 14 also requires all persons who operate aircraft in the United States to obtain\nand maintain a valid pilot\xe2\x80\x99s certification. AFS accepts applications for pilots\xe2\x80\x99\ncertifications and maintains permanent records on the certifications in the\nRegistry\xe2\x80\x99s pilot database. An application for a pilot\xe2\x80\x99s certification includes the\napplicant\xe2\x80\x99s social security number and date of birth, a record of pilot flight time,\nand the basis for the application such as test results or graduation from approved\ncourses 7. FAA uses designated examiners 8\xe2\x80\x94private individuals who act on FAA\xe2\x80\x99s\nbehalf\xe2\x80\x94to review and approve the applications, and AFS\xe2\x80\x99s Registry examiners\nreview approved applications and issue certifications. FAA contracts with a\nvendor who furnishes the facilities, management, personnel, equipment, and\nmaterials necessary to produce and mail pilots\xe2\x80\x99 certifications.\n\nRESULTS IN BRIEF\n\nFAA\xe2\x80\x99s Civil Aviation Registry lacks accurate and complete information needed\nfor aviation safety and security measures. The Registry lacks information on\nregistered aircraft, owners\xe2\x80\x94including non-U.S. citizens\xe2\x80\x94and their compliance\nwith FAA regulations. FAA\xe2\x80\x99s regulations require owners to periodically update or\ncorrect the information in their Registry records, but the Agency does not check\nthese re-registrations against the original records to ensure accuracy and regulatory\ncompliance. We found incomplete registrations for about 5,600 aircraft, or\n54 percent, owned under trusts for non-U.S. citizens. As a result, FAA has been\nunable to provide information on these aircraft to foreign authorities upon request\nwhen U.S. registered aircraft are involved in accidents or incidents in foreign\ncountries, as required by the Convention on International Aviation. FAA\xe2\x80\x99s\nRegistry similarly lacks complete information on pilot certifications, which makes\nit difficult for law enforcement officials to use the Registry to conduct security\nscreenings required by the Intelligence Reform and Terrorism Prevention Act of\n2004 (IRTPA) or to detect pilots who provide false information. These data\nweaknesses largely stem from FAA\xe2\x80\x99s lack of formal quality control procedures to\nregularly reassess the integrity of the Registry\xe2\x80\x99s data and information systems.\n\nFAA has not implemented needed security controls over the Registry\xe2\x80\x99s\nconfiguration and account management to mitigate the risk of unauthorized access\nto PII. FAA maintains it is not responsible for information voluntarily submitted to\nthe Registry. However, FAA\xe2\x80\x99s practices are contrary to Office of Management and\nBudget (OMB) and National Institute of Standards and Technology (NIST)\nrequirements that require protection of PII and emphasize the importance of access\ncontrols, up-to-date operating systems, and continuous monitoring. We found\nmultiple weaknesses with the Registry servers, including outdated operating\n7\n Submission of the data is mandatory, except for the Social Security Number, which is voluntary.\n8\n Designated examiners exercise the authority of the FAA Administrator to certify and approve pilots\xe2\x80\x99 records,\ncertifications, and test results.\n\x0c                                                                                   4\n\n\nsystems and no routine monitoring over sensitive data access. FAA is also not in\ncompliance with DOT policies calling for PII encryption and account access\ncontrols. Finally, FAA does not have agreements in place with external parties that\nreceive registry information to protect PII to prevent unauthorized access, as\nrequired by the Federal Information Security Management Act (FISMA).\n\nFAA\xe2\x80\x99s recovery plan for the Registry does not meet DOT\xe2\x80\x99s information\ntechnology (IT) security policy requirements and is inadequate to ensure that the\nsystem is recoverable after a disaster or other event causing it to be shut-down. For\nexample, FAA\xe2\x80\x99s test procedures for the Registry\xe2\x80\x99s recovery plan did not include\nan alternative processing site for the resumption of Registry functions in case of a\nshut-down. Due to a reorganization of information technology activities some\nyears ago and the Registry\xe2\x80\x99s complexity, FAA had not yet selected an alternate\nprocessing site. Lack of testing of the Registry\xe2\x80\x99s backup systems at an alternative\nsite creates the risk that FAA will be unable to resume essential operations after a\nsystem shut-down.\n\nWe are making recommendations to improve the accuracy, security, and reliability\nof the Registry\xe2\x80\x99s data.\n\nFAA\xe2\x80\x99S REGISTRY DOES NOT CONTAIN COMPLETE AND\nACCURATE INFORMATION ON AIRCRAFT REGISTRATIONS AND\nPILOT CERTIFICATIONS\n\nFAA does not maintain accurate or complete information in its Registry. For\nexample, it lacks information on registered aircraft, owners\xe2\x80\x94including non-U.S.\ncitizens\xe2\x80\x94and their compliance with FAA regulations. FAA similarly lacks\ncomplete information on pilot certifications, which makes it difficult for the\nTransportation Security Administration (TSA) and other law enforcement officials\nto use the Registry for required security screenings or to detect pilots who provide\nfalse information. A major factor contributing to these weaknesses is FAA\xe2\x80\x99s lack\nof formal quality control procedures to regularly reassess the integrity of the\nRegistry\xe2\x80\x99s data and information systems.\n\nThe Registry Lacks Complete and Reliable Information on Registered\nAircraft and Their Owners and Operators\n\nThe Registry lacks information on registered aircraft, their owners, and their\noperators that FAA needs for aviation and security measures. We selected a\nrandom sample of 68 out of 10,292 fixed wing and rotary aircraft registrations and\nfound that 37 out of 68 had incomplete registrations. Based on this finding we\nestimate that 5,600 or 54.4 percent of aircraft owned under trusts for non-US\ncitizens lacked important information such as the identity of the trusts\xe2\x80\x99 owners and\n\x0c                                                                                                    5\n\n\naircraft operators. 9 While FAA\xe2\x80\x99s regulations require registration applications to\ninclude copies of all documents that establish these trusts, they require few\ndocuments that identify the owners who established the trusts and how the trusts\ncomply with regulations. However, under the Convention on International Civil\nAviation, 10 FAA has a duty to provide, upon request from appropriate foreign civil\naviation authorities, accurate information on U.S. registered aircraft operated in\nforeign countries. Foreign aviation authorities have brought to FAA\xe2\x80\x99s attention\nnumerous accidents, operational errors, and other incidents involving U.S. aircraft\nregistered to trusts for non-U.S. citizen beneficiaries. Because the Registry lacks\ninformation on these aircraft, FAA is at risk of not being able to meet its duty\nunder the Convention and answer these authorities\xe2\x80\x99 requests for information. FAA\nhas taken actions by convening a working group to identify key issues, holding\npublic meetings, and issued proposed policy clarification in the Federal Register\nfor these types of aircraft registrations, but has yet to conclude work in this area.\nWe are conducting additional audit work on the relationships between these\ntrustees and the anonymous owners/beneficiaries.\n\nWe also found errors in Registry data. Specifically, 130 of 350,000 aircraft\nregistration records in the Registry share make and model information and serial\nnumbers with at least 1 other aircraft, making it difficult for FAA and other\nRegistry users to identify the true owners of these specific aircraft. While this is a\nsmall number of discrepancies, the impact is potentially significant if a serious\nincident occurs and FAA is unable to identify the aircraft\xe2\x80\x99s owner in a timely\nmanner. Inadequate quality control procedures contribute to such errors. For\nexample, FAA does not check the Registry for duplicate information or perform\nsemi-annual reassessments to review the information in aircraft registrations for\naccuracy or compliance with regulations in accordance with DOT policy. 11\nInstead, FAA relies on each aircraft owner to validate that the information on his\nor her aircraft\xe2\x80\x94including make, model, serial number, and the owner\xe2\x80\x99s physical\naddress\xe2\x80\x94in the Registry is current.\n\nThe Registry Does Not Contain Complete and Accurate Information\non Pilots\xe2\x80\x99 Certifications\n\nThe Registry also lacks information on pilots that FAA needs to ensure aviation\nsafety. Over 43,000 airmen have received certifications even though they have not\nprovided FAA with accurate permanent personal addresses. Despite its policy, 12\nFAA has permitted pilots to use business and flight school addresses on their\n\n9\n Our 5,600 estimate has a precision of +/-1,027 at the 90-percent confidence level.\n10\n   Known as the Chicago Convention, it was signed on December 7, 1944.\n11\n   DOT Order 1351.37 Departmental Cybersecurity Policy requires that System Owners perform semi-annual\nreassessments of the integrity of information and ensure the validity of information inputs.\n12\n   FAA Order 8900.2 CHG 1, General Aviation Airman Designee Handbook.\n\x0c                                                                                                              6\n\n\napplications for certification. As a result, it is difficult for TSA to locate\nindividuals to conduct IRTPA-required pilot screening. These screenings must be\ncomplete before FAA can issue pilot certifications. The Government\nAccountability Office (GAO) recently reported on the impact that FAA\xe2\x80\x99s lack of\ndata on pilots has on aviation safety13 and has highlighted the importance of the\nRegistry\xe2\x80\x99s accuracy for ensuring aviation security. 14\n\nFAA also does not comply with IRTPA\xe2\x80\x99s requirements for more secure pilot\ncertification documentation. IRTPA requires FAA to issue pilots\xe2\x80\x99 licenses that are\ntamper resistant, include a photograph of the pilot, and can accommodate a\nbiometric identifier, such as fingerprints. According to FAA officials, however,\nthe Agency does not yet require pilots to provide photographs or biometric\nidentifiers for inclusion in their certifications due to its lack of expertise in\nbiometrics and a late start in its preparation to meet the requirement. The\nDepartment of Homeland Security\xe2\x80\x99s Inspector General has reported 15 that because\nFAA does not require unique identifiers\xe2\x80\x94such as photographs or social security\nnumbers\xe2\x80\x94on pilots\xe2\x80\x99 certifications, TSA may not be able to identify pilots who\nprovide false personal information on their certification applications thereby\nmaking it easier for individuals using false identities to receive certifications.\n\nFAA Lacks Formal Quality Control Procedures for the Registry\n\nFAA does not have formal quality control procedures to conduct regular integrity\nassessments of the Registry\xe2\x80\x99s data. DOT policy 16 states that Information System\nOwners\xe2\x80\x94the manager responsible for an information system\xe2\x80\x99s operation and\nmaintenance\xe2\x80\x94must reassess semi-annually the integrity of both their systems\xe2\x80\x99\ninformation and software. Furthermore, System Owners must ensure that their\ninformation systems validate information inputs to ensure that the systems\xe2\x80\x99 data\nare complete, accurate, and valid, and that the systems identify and reject any\nincorrect information. However, FAA has no documentation that describes the\nRegistry\xe2\x80\x99s quality control requirements for reassessing its data and how those\nrequirements correspond with FAA\xe2\x80\x99s policy and regulations. 17\n\n\n\n\n13\n   GAO, Additional FAA Efforts Could Help Identify and Mitigate Safety Risks, GAO-13-36, October 4, 2012.\n14\n   GAO, TSA\xe2\x80\x99s Process for Ensuring Foreign Flight Students Do Not Pose a Security Risk Has Weaknesses,\nGAO-12-900T, July 18, 2012.\n15\n   DHS, Transportation Security Administration (TSA) Vetting of Airmen Certificates and General Aviation Airport\nAccess and Security Procedures, OIG-11-96, July 2011.\n16\n   U.S. Department of Transportation, Departmental Cybersecurity Compendium, Supplement to DOT Order 1351.37,\nJune 14, 2011.\n17\n   14 CFR \xc2\xa7 47 (Aircraft Registration) and \xc2\xa7 61, 63 and 65 (Airmen Certification).\n\x0c                                                                                                                          7\n\n\nTHE REGISTRY\xe2\x80\x99S SECURITY CONTROLS ARE INADEQUATE TO\nPROTECT THE REGISTRY\xe2\x80\x99S PII FROM UNAUTHORIZED ACCESS\n\nFAA\xe2\x80\x99s security controls for the Registry\xe2\x80\x99s system configuration and account\nmanagement do not adequately protect the PII in the system. FAA\xe2\x80\x99s controls do\nnot comply with DOT policies and put the system at risk for unauthorized access.\nFurthermore, FAA does not require the contractor who produces pilots\xe2\x80\x99\ncertifications to have the security controls required by FISMA and DOT policy in\nplace.\n\nFAA\xe2\x80\x99s Inadequate Security Controls Put the Registry\xe2\x80\x99s PII at Risk for\nUnauthorized Access\n\nOMB requires all Federal agencies to implement the security controls necessary to\nprevent inappropriate access to, use, and disclosure of PII. Furthermore, NIST\nspecifies the controls for high-impact systems, 18 such as the Registry. For\nexample, NIST requires access controls, up-to-date operating systems 19 and\npatches, 20 and continuous monitoring. Pilots\xe2\x80\x99 certifications contain particularly\nsensitive PII, including social security numbers and personal medical information.\nAircraft records submitted during the registration process may also contain PII\ninadvertently included by the registrant. However, FAA has not implemented\nsecurity controls that will mitigate the risk of unauthorized access to the Registry\xe2\x80\x99s\nPII. We performed a vulnerability assessment 21 of Registry systems and noted the\nfollowing weaknesses:\n\n\xe2\x80\xa2 Thirty computer servers, 70 percent, of the 42 that support the Registry,\n  contained at least 1 high risk or critical vulnerability\xe2\x80\x94a weakness in an\n  information system that could be exploited for unauthorized access.\n\n\xe2\x80\xa2 Two servers were running operating systems that were outdated and therefore\n  no longer receiving vendor support or patches.\n\n\xe2\x80\xa2 Seven servers were missing update patches from 2007 and subsequent years.\n\n\xe2\x80\xa2    Access to sensitive Registry data is not monitored.\n\nFurthermore, we found that FAA did not effectively implement the following\ncontrols that are required by FISMA, OMB, or DOT policy:\n18\n   A system is considered high impact if its loss of confidentiality, integrity, or availability is expected to have a severe\nor catastrophic adverse effect on organizational operations, organizational assets, or individuals.\n19\n   An operating system is the software that allows computer users to run applications with the hardware of a specific\nsystem. Microsoft Windows or Apple Computer\xe2\x80\x99s OS are examples of operating systems.\n20\n   Patches are software that fix problems with computer programs, including system vulnerabilities.\n21\n   A vulnerability assessment is a method of identifying weaknesses present in information technology systems by\nexamining the current software versions and settings.\n\x0c                                                                                                                   8\n\n\n\xe2\x80\xa2 PII encryption. FAA does not encrypt 22 Registry data, including PII, on pilots\n  and sensitive information inadvertently submitted by owners for aircraft\n  registrations. The lack of encryption makes reading PII easier when it is\n  accessed by an unauthorized party or stolen. During the pilot certification and\n  aircraft registration processes, FAA receives copies of sensitive information\n  such as driver licenses and documents ancillary to trusts, which without\n  encryption, is at an increased risk of exposure.\n\n\xe2\x80\xa2 Annual user account validations 23 to identify, disable, and remove\n  accounts are no longer in use. FAA only sporadically validates the Registry\xe2\x80\x99s\n  user accounts and does not document this validation. Untimely disabling and\n  removal of accounts could lead to unauthorized access to information and\n  systems by individuals who are no longer authorized. Additionally, FAA has\n  inadequate policies and practices for creating and managing user accounts. For\n  example, FAA\xe2\x80\x99s system access authorizations do not adequately segregate\n  approval and recording of changes to user accounts.\n\n\xe2\x80\xa2 Multifactor user identity authentication. OMB requires multifactor identity\n  authentication, which consists of a password and another access method such\n  as a smart card, to verify Registry users\xe2\x80\x99 identities before granting system\n  access. Although FAA indicated that the Registry uses digital signatures 24 to\n  authenticate Registry users, we found that it does not use this technology or\n  multifactor authentication. In addition, there are over 38,000 Registry users\xe2\x80\x94\n  designated examiners that certify pilots\xe2\x80\x99 certifications application\xe2\x80\x94who are\n  not FAA employees, heightening the need for strong access controls, such as\n  multifactor identity authentication, to prevent compromise of pilots\xe2\x80\x99 PII.\n\nInadequate procedures, delayed resolution of identified weaknesses, and not\naccepting responsibility for PII voluntarily submitted to the Registry contributed to\nthese weaknesses. Specifically, FAA had no written procedures and guidance on\nconfiguration management and changes making it difficult to monitor and patch\nthe system. FAA also had not completed the corrective actions included in its\nplans of action and milestones (POA&Ms) to address identified weaknesses.\nTwenty-six POA&Ms, including high risk items that FAA identified in 2009, were\nnot resolved in a timely manner. For example, FAA wrote a POA&M for its lack\nof a configuration management plan for the Registry\xe2\x80\x99s system with a completion\ndate of May 31, 2010, but did not complete the plan until October 2011. Finally,\nFAA officials informed us that because PII in aircraft registration records are\n\n22\n   Encryption is the process of changing information in such a way as to make it unreadable by anyone except those\npossessing special knowledge (usually referred to as a \xe2\x80\x9ckey\xe2\x80\x9d) that allows them to change the information back to its\noriginal, readable form.\n23\n   Annual validation is required for users\xe2\x80\x99 accounts and semi-annual for system owners and administrators\xe2\x80\x99 accounts.\n24\n   Digital signature is a technology that uses encryption to authenticate the person who transmits information over a\nnetwork and to ensure that the information is not changed during transmission.\n\x0c                                                                                  9\n\n\nvoluntarily submitted to the Registry by aircraft owners, FAA does not have any\nresponsibility to safeguard this sensitive information.\n\nFAA Has Not Established Required Agreements with its Contractor\nand Other Agencies That Receive Registry Information to Ensure That\nTheir Systems Protect the Information\n\nFAA does not have FISMA-required agreements with its contractor and other\nFederal agencies that receive Registry information to ensure that these third-\nparties\xe2\x80\x99 systems can protect the Registry\xe2\x80\x99s PII from unauthorized access. FISMA\nrequires Federal agencies to establish interconnection security agreements to\nauthorize connections from one information system to systems outside of their\nauthorization. These agreements provide assurance that the outside systems are\nsecured according to the requirements for Federal information processing systems.\nDOT policy also calls for FAA to require providers of external information system\nservices to employ security controls in accordance with the requirements for\nFederal systems. However, FAA has not entered into such an agreement with the\nvendor that produces pilots\xe2\x80\x99 certifications or included the required terms in its\ncontract with the vendor. FAA also shares Registry information with other\nGovernment agencies, such as TSA, and Federal and State prisons, but does not\nhave interconnection security agreements with all such entities. As a result, FAA\ndoes not have any assurance that the information it provides to external parties\nwill be properly secured.\n\nFAA\xe2\x80\x99S CONTINGENCY PLAN FOR THE REGISTRY CANNOT\nENSURE THAT THE AGENCY WILL RECOVER THE SYSTEM\nAFTER A SHUT-DOWN\n\nFAA\xe2\x80\x99s contingency plan for the Registry does not ensure that FAA will be able to\nrecover the Registry after a shut-down. At the time of our review, the plan\ndescribed how to recover the system in the event of an emergency shut-down.\nHowever, FAA had not yet established an alternative operation site for the\nRegistry. Both NIST Special Publication 800-53 and DOT policy, issued in\nAugust 2009 and June 2011 respectively, require DOT\xe2\x80\x99s operating administrations\nto establish alternate processing sites for their information systems and to\nimplement plans for the resumption of system operations for essential missions\nand business functions when the primary processing capabilities are unavailable.\n\nFurthermore, FAA\xe2\x80\x99s test procedures for the Registry\xe2\x80\x99s recovery plan do not\ninclude testing a recovered system. Because the Registry is a high-impact system,\nNIST requires FAA to test the Registry\xe2\x80\x99s contingency plan at the alternate\nprocessing site to determine the plan\xe2\x80\x99s effectiveness and staff\xe2\x80\x99s readiness to\nexecute the plan, review the test results, and initiate corrective actions. However,\n\x0c                                                                                 10\n\n\nFAA only makes phone calls to ensure that the key personnel can be contacted in\nthe event of an emergency shut-down of the Registry.\n\nDue to a reorganization of information technology activities a number of years ago\nand the Registry\xe2\x80\x99s complexity, FAA is still working to establish the Registry\xe2\x80\x99s\nalternative processing site. However, the lack of testing of the Registry\xe2\x80\x99s backup\nsystems at an alternative site creates the risk that FAA will be unable to resume\nessential operations after a system shut-down and ensure continued access to\naircraft registrations and pilot certification records.\n\nCONCLUSION\n\nDOT\xe2\x80\x99s primary mission is safety. Integrally related to the safety of aviation\noperations is the security and integrity of information FAA collects on the pilots\nand aircraft operating in the National Airspace System and around the world. In\nfurtherance of the aviation safety mission, FAA must collect and protect complete\nand accurate aircraft and pilot data. In addition, FAA must also ensure this data is\nreadily available for safety purposes. The weaknesses we identified increase the\nrisk that the integrity and privacy of the Registry\xe2\x80\x99s data will be compromised. In\naddition, in the event of a system disruption, the data may not be available in a\ntimely manner. Until resolved, these weaknesses diminish FAA\xe2\x80\x99s ability to fully\ncarry out its safety mission and provide required services and assistance to the\naviation public, airlines, law enforcement, foreign governments, and Federal\nagencies responsible for homeland security.\n\nRECOMMENDATIONS\n\nTo improve the accuracy, security, and reliability of the Registry\xe2\x80\x99s data, we\nrecommend that FAA\xe2\x80\x99s Administrator require the Associate Administrator for\nAviation Safety in consultation with the Agency\xe2\x80\x99s Chief Information Officer:\n\n1. Develop procedures for periodic reassessments of aircraft and airman data to\n   improve and maintain data integrity.\n\n2. Issue policy or regulations that clarify informational requirements for\n   registration of aircraft owned by trusts for non-citizens.\n\n3. Develop procedures to ensure that airman addresses are kept current.\n\n4. Implement the provisions of the Intelligence Reform and Terrorism Prevention\n   Act\xe2\x80\x99s for pilot certifications.\n\x0c                                                                                  11\n\n\n5. Implement access monitoring, user accounts, and multi-factor authentication\n   for the Registry.\n\n6. Encrypt PII and mitigate the vulnerabilities on Registry computers. If controls\n   cannot be implemented immediately then remove all PII or take other actions\n   as appropriate, such as suspend the system\xe2\x80\x99s operation in accordance with FAA\n   Order 1280.1B.\n\n7. Ensure that the FAA contractor\xe2\x80\x99s computers and other third-party systems\n   comply with information security controls required by FISMA and DOT\n   policy.\n\n8. Mitigate contingency planning weaknesses by selecting an alternative\n   processing site and periodically conducting comprehensive contingency tests at\n   the alternate site in accordance with DOT policy.\n\nAGENCY COMMENTS AND OFFICE OF INSPECTOR GENERAL\nRESPONSE\n\nWe provided FAA with a draft of this report on April 4, 2013, and requested the\nAgency\xe2\x80\x99s response within 30 calendar days. We received the response on June 20,\n2013, which is included as an appendix to this report. FAA concurred with five of\nour eight recommendations (2, 3, 4, 7, and 8) and partially concurred with three (1,\n5, and 6).\n\nFAA concurred with recommendation 2 and requested that it be closed based on\nits recent publication of a revised policy on registration of non-citizen trusts;\nhowever, we do not agree that FAA\xe2\x80\x99s clarification of its aircraft registration policy\nwill ensure that FAA has the information it needs. The new policy states that\ntrustees, upon FAA\xe2\x80\x99s request, should provide information about registered aircraft\nand their operations within set time frames. However, FAA states that the Registry\nis the system of record in which the Agency maintains information that users need\nto locate individuals and aircraft. For the Registry to meet this purpose, FAA must\ncollect this information as part of the registration process so that is available to\nusers when they need it. Consequently, the new policy does not ensure that FAA\nwill have the information it needs for proper safety oversight. Therefore, we\nrequest that FAA reconsider its response and provide information to clarify how it\nwill collect and maintain current information about the ownership and operation of\nall aircraft owned under trusts for non-citizens.\n\nFAA partially concurred with recommendations 1, 5 and 6. However, its planned\nactions do not address the recommendations\xe2\x80\x99 full intent. Therefore, we consider\n\x0c                                                                                12\n\n\nthem open and unresolved and request that FAA reconsider its related responses.\nSpecifically:\n\n\xe2\x80\xa2 We disagree that the Agency has quality control processes in place that are\n  sufficient to resolve recommendation 1. In addition, FAA has not provided\n  information describing its quality control requirements for regular\n  reassessments of the Registry\xe2\x80\x99s data. The Agency\xe2\x80\x99s planned action on data\n  integrity improvements would be beneficial but does not go far enough. DOT\n  policy requires semi-annual data integrity assessments for all information\n  systems. FAA\xe2\x80\x99s planned action does not comply with this policy. Therefore,\n  we request that FAA provide additional information on actions it plans to take\n  to periodically reassess the Registry\xe2\x80\x99s data to identify and correct aircraft\n  registrations and pilot certifications that do not conform to its policies and\n  regulations.\n\n\xe2\x80\xa2 In response to recommendation 5, FAA stated that its self assessments of the\n  Registry determined that the Registry\xe2\x80\x99s system was at low risk for inadvertent\n  disclosure of sensitive information, despite the fact that FAA has not\n  implemented system account management and strong user identity\n  authentication mechanisms. Further, FAA categorized the Registry as a high\n  impact system, meaning that loss of confidentiality, integrity or availability of\n  its information would have a severe or catastrophic effect on FAA\xe2\x80\x99s\n  operations. DOT policy requires high impact systems to use annual account\n  validations and multifactor identity authentication to protect their sensitive\n  information. FAA\xe2\x80\x99s response does meet these DOT policy requirements for\n  such high risk systems. Therefore, we request that FAA provide clarifying\n  information on its plans for establishing annual account validations and\n  multifactor user identity authentication.\n\n\xe2\x80\xa2 FAA\xe2\x80\x99s lack of encryption of the data on its legacy systems does not comply\n  with DOT policy and, therefore, does not sufficiently address recommendation\n  6. DOT policy requires encryption of all sensitive PII, wherever it may reside,\n  and does not allow for application of encryption when practical. We request\n  that FAA provide information on its planned action to include encryption of all\n  sensitive PII in the Registry, including that contained in legacy systems.\n\nGiven FAA\xe2\x80\x99s reaction to our recommendations, we remain concerned that the\nintegrity and privacy of the Registry\xe2\x80\x99s data will remain at risk.\n\nACTIONS REQUIRED\n\nFAA\xe2\x80\x99s planned actions for recommendations 3, 4, 7, and 8 are responsive and we\nconsider these recommendations resolved but open pending completion of the\n\x0c                                                                                 13\n\n\nplanned actions. For recommendations 1, 2, 5, and 6, we are requesting the\nAgency provide additional information on its planned actions, as detailed above.\nIn accordance with DOT Order 8000.1C, we request this information within 60\ndays. All corrections are subject to follow-up provisions in DOT Order 8000.1C.\n\nWe appreciate the courtesies and cooperation of Federal Aviation Administration\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (202) 366-1407, or Joann Adam, Program Director, at\n(202) 366-1488.\n\n                                         #\n\n\ncc: Chief Information Officer, DOT\n    Associate Administrator for Aviation Safety, FAA\n    Assistant Administrator for Information Services and\n     Chief Information Officer, FAA\n    DOT Audit Liaison, M-1\n    FAA Audit Liaison, AAE-100\n\x0c                                                                                14\n\n\nEXHIBIT A. SCOPE AND METHODOLOGY\n\nWe conducted our work from January 2011 through April 2013 in accordance with\ngenerally accepted Government auditing standards. Those standards require that\nwe plan and perform the audit to obtain sufficient, appropriate evidence to provide\na reasonable basis for our findings and conclusions based on our audit objectives.\nWe believe that the evidence obtained provides a reasonable basis for our findings\nand conclusions based on our audit objectives.\n\nTo determine the sufficiency of the Registry\xe2\x80\x99s aircraft registrations and pilots\nrecords, if PII was secure from unauthorized use or access, and if contingency\nplanning ensures Registry continuity, we interviewed officials from several FAA\noffices and directorates. This included FAA\xe2\x80\x99s Flight Standards Service\xe2\x80\x93Civil\nAviation Registry and Flight Standards Division Special Emphasis Investigations\nTeam. We also interviewed officials from FAA\xe2\x80\x99s Office of Quality, Integration,\nand Executive Services; Office of the Chief Counsel; Office of Information\nServices\xe2\x80\x93Information Systems Security; and Office of Acquisition Services\xe2\x80\x93\nContract Management Team. We obtained, reviewed, and analyzed documentation\nrelated to the confidentiality, integrity, and availability of the FAA\xe2\x80\x99s Registry\nsystem.\n\nWe used a statistical sample of 68 aircraft out of 10,292 from the Registry to\nevaluate aircraft registration compliance with 14 CFR \xc2\xa7 47 (Aircraft Registration).\nWe tested five key registration requirements on each of the 68 aircraft for a total\nof 340 tests. This statistical sample allowed us to project aircraft registration\nerrors with a 90 percent confidence level and a precision of +/- 10 percent.\n\nFinally, we performed a vulnerability assessment of the Registry\xe2\x80\x99s Pilot and\nAircraft system components, including Pilot/Aircraft Web Services, IACRA Web\nServices and Admin web site, Electronic Document Retrieval System (EDRSII),\nImage Management System and the Registry and Office of Aviation Safety data\ncenter\xe2\x80\x99s pilot and aircraft processing infrastructure. We performed the assessment\nusing automated software tools as well as manual testing techniques. The results\nof the scans were reviewed to determine if security settings meet policy and\nbaseline requirements for security testing, vendor updates (patches), and FAA\xe2\x80\x99s\nconfiguration of these systems.\n\n\n\n\nExhibit A. Scope and Methodology\n\x0c                                                                 15\n\n\n\nEXHIBIT B. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                    Title\n\nJoann Adam                              Program Director\n\nGerald Steere                           Project Manager\n\nTim Roberts                             Senior Auditor\n\nMaria Dowds                             Senior Auditor\n\nSusan Neill                             Writer-Editor\n\nSeth Kaufman                            Senior Counsel\n\nSandra DeLost                           Information Technology\n                                        Specialist\n\nMegha Joshipura                         Statistician\n\nPetra Swartzlander                      Senior Statistician\n\nAllison La Vay                          Referencer\n\n\n\n\nExhibit B. Major Contributors to This Report\n\x0c                                                                                       16\n\n\n\n\n                   Federal Aviation\n                   Administration\n\n\nMemorandum\nDate:      June 20, 2013\nTo:        Louis C. King, Assistant Inspector General for Financial and\n           Information Technology Audits\nFrom:      H. Clayton Foushee, Director, Office of Audit and Evaluation, AAE-1\nSubject:   Federal Aviation Administration\xe2\x80\x99s (FAA) Response to Office of Inspector\n           General (OIG) Draft Report: FAA\xe2\x80\x99s Civil Aviation Registry\n\n\nThe FAA Civil Aviation Registry (Registry) manages the permanent records for aircraft\nregistration and airman certification. Each is governed by a Systems of Record Notice\nestablishing its purpose, scope, and routine uses. Both systems are constantly evolving\nwith changes in the industry and regulatory environment. Improvements in data quality,\nerror checking, appropriate user access, and security are continually evaluated through\nInternational Organization for Standardization (ISO-9001) certified processes and\nadvances in automation technologies.\n\nRECOMMENDATIONS AND RESPONSES\n\nRecommendation #1: Develop procedures for periodic reassessments of aircraft and\nairman data to improve and maintain data integrity.\n\nResponse: Partial Concur. As described in the draft report, the Registry already has\nprocesses in place to review aircraft and airman records, as well as quality control\nprocesses. The FAA does not believe the recommended establishment of a scheduled\nperiodic reassessment procedure offers sufficient improvement to be worth the\ninvestment in resources that would be required. However, the Registry will evaluate\nways to improve data quality and integrity and provide a follow-up response by\nDecember 31, 2013.\n\nRecommendation #2: Issue policy or regulations that clarify informational requirements\nfor registration of aircraft owned by trusts for non-citizens.\n\nResponse: Concur. An official FAA policy clarification on registration of aircraft\nowned by trusts for non-citizens has been under development since early 2010 and was\n\nAppendix: Agency Response\n\x0c                                                                                         17\n\n\npublished in the Federal Register on June 18, 2013. The FAA request this\nrecommendation be closed.\n\n\nRecommendation #3: Develop procedures to ensure that airman addresses are kept\ncurrent.\n\nResponse: Concur. Airmen are required by 14 Code of Federal Registration Part 61.60\nto report a change in address within 30 days of a move and must provide an acceptable\nphysical residential address if different than a mailing address. It\'s the responsibility of\nthe airman to inform the FAA if there is a change of address, and this can be\naccomplished through a change of address notification, when adding a rating or applying\nfor an airman certificate or replacement. The FAA provides policy guidance regarding\nacceptable address information for FAA authorized designees, FAA inspectors and other\nofficials in FAA Orders 8900.1, 8900.2 and other publications. Additional instructions\nare provided on each application for an airman certificate and/or rating. If an\nairman/applicant provides an unacceptable address, the Registry rejects the application or\nrequest for reissuance of a certificate and the permanent airman certificate is not issued\nuntil the airman complies with the FAA address requirements to provide an acceptable\naddress. Currently, the FAA does not preclude an airman from using a flight school\naddress or acceptable commercial address as a preferred mailing address, as long as the\nairman also provides an acceptable physical, residential address for the official airman\nrecord. Both addresses, when provided, are included in data that the FAA provides to the\nTransportation Security Administration (TSA) and other law enforcement entities, as\nrequired by U.S.C. 44703. The residential address may be shown in the database or\ncontained within the airman record on digital images.\n\nAlso, the FAA continues to update its system to identify addresses that are not acceptable\nin accordance with U.S.C. 44703, and has implemented software changes and system\nedits to identify unacceptable addresses. The Registry utilizes United States Postal\nService software to identify and standardize address information in order to ensure the\naddress information provided by an applicant is not a fictitious address and to ensure\nproper delivery of the airman certificate. Going forward, the FAA has purchased new\naddress validation software, called Melissa Data, which is currently undergoing testing to\nconfirm that it will identify a "commercial" address (such as a flight school address),\nwhich would thereby require the airman to provide a physical residential address for\nofficial record purposes. If this testing is successful, the FAA plans to fully implement\nMelissa Data by September 30, 2014 and will also purchase a subscription of annual\nupdates to ensure continuing currency of address validation data.\n\nIt should be noted that many of the records identified by the OIG were established prior\nto the requirement to provide a physical residential address. These airmen have had no\nother contact with FAA, in some cases, since the original issuance of the airman\ncertificates. Many of the airmen the OIG identified are not \xe2\x80\x9cactive\xe2\x80\x9d, and many of the\nairman certificates were issued before or during the 1970\xe2\x80\x99s and 1980\xe2\x80\x99s, prior to the\nrequirement to provide a physical residential address (DEA Act of 1988). Prior to 1988,\n\n\nAppendix: Agency Response\n\x0c                                                                                          18\n\n\nit was acceptable to use an aviation school address, a post office box or other mailing\naddress when applying for an airman certificate and the purpose of capturing an address\nwas to ensure the FAA had a good address to be able to mail airman certificates, FAA\nsafety publications and notices to airmen.\n\nRecommendation #4: Implement the provisions of the Intelligence Reform and\nTerrorism Prevention Act\xe2\x80\x99s (IRTPA) for pilot certifications.\n\nResponse: Concur. Historically, the purpose of a pilot certificate is to display airman\ncertificate privileges and qualifications. Section 4022 of IRTPA changed the purpose and\nutilization of a pilot certificate and required the FAA to issue improved pilot certificates\nthat (1) are resistant to tampering, altering, or counterfeiting; (2) include a photograph of\nthe individual to whom the certificate is issued; and (3) are capable of accommodating a\ndigital photograph, a biometric identifier, or any other unique identifier that the FAA\nAdministrator considers necessary.\n\nThe FAA began issuing plastic tamper- and counterfeit- resistant certificates in 2003. In\nFebruary 2008, the FAA published the Drug Enforcement Assistance (DEA) final rule\n(73 FR 10662), which required all pilots (except student pilots) to obtain the tamper-\nresistant plastic certificate by March 31, 2010. The DEA final rule satisfied the IRTPA\nrequirement to issue pilot certificates that are resistant to tampering, altering and\ncounterfeiting.\n\nIn November 2010, the FAA published a Notice of Proposed Rulemaking (NPRM) titled\n\xe2\x80\x9cPhoto Requirements for Pilot Certificates\xe2\x80\x9d (75 FR 70871). The NPRM proposed to\nfulfill the final requirements of section 4022 of the IRTPA by requiring a photo of the\npilot on all plastic pilot certificates, including students. This rulemaking project was\nplaced on hold because it was superseded by Section 321 of the FAA Modernization and\nReform Act of 2012. To address the additional requirements of Section 321, and because\na pilot certificate is not and has never been utilized as a security credential, the FAA\nformed a working group consisting of multiple FAA and TSA offices. This working\ngroup is evaluating the FAA\xe2\x80\x99s current certification processes and how they could be\nchanged to accommodate such certificates, the infrastructure required to utilize such\ncertificates, and associated costs that may be incurred. For example, the FAA must\nconsider infrastructure requirements such as biometric collection and card readers that\nwould need to be developed and distributed for airmen, government and industry to\nutilize biometric pilot certificates. The working group is also looking at funding\nconsiderations, and options to reduce the burden on the public and the FAA.\n\nThe new associated rulemaking project has been accepted by FAA\xe2\x80\x99s Office of\nRulemaking, but a schedule has not yet been approved. The timing of any proposed rule\nwill be critical so as not to duplicate rulemaking efforts between TSA and the FAA, but\nthe complex project is unlikely to be complete in the near term, and therefore the FAA\nwill provide an update by September 30, 2015.\n\nRecommendation #5: Implement access monitoring, user accounts, and multi-factor\nauthentication for the Registry.\n\nAppendix: Agency Response\n\x0c                                                                                         19\n\n\n\nResponse: Partial Concur. The FAA concurs with the recommendation to implement\naccess monitoring but does not concur with the recommendations regarding user accounts\nor multi-factor authentication.\n\nThe OIG conducted this audit between January 2011 and April 2013. During this period,\nthe FAA closed a number of open Plan of Action and Milestones (POA&M) items which\nadd insight into FAA\xe2\x80\x99s activities on this issue. The OIG confirmed the Fiscal Year (FY)\n2012 Assessment Team audit review finding Cyber Security Assessment and\nManagement ID 48954) that web application audit logs are not routinely monitored.\nDuring the follow on FY2013 assessment, the Assessment Team concluded that the\nsystem owners review web application audit records on a daily basis, and recommended\nclosing POA&M item 48954 with an effective date of March 2013. The FY2013\nAssessment Team also recommended that the Integrated Airman Certification and Rating\nApplication (IACRA) Information Technology Program Manager continue progress on\nPOA&M item 28838, to modify the application to have a user interface that can display\naudit reports such as events that occurred during a selected time span or a listing of audit\nrecords for a specific event type. This modification is scheduled to be completed by\nSeptember 30, 2013.\n\nThe OIG proposes an annual process to validate user accounts for the Registry web\napplications and the IACRA system. These applications provide services to authorized\nusers, as the user requires these services, but once authorized, the applications do not\nrequire any minimum level of activity to maintain an account. The FY2013 Security\nAssessment Team assessed this risk as the lowest level of risk that can be calculated for\nthe Registry system. Based on the business requirements and the extremely low risk, the\nAssessment Team recommended that the risk be accepted by the Authorizing Official, as\nit was previously with POA&M item 38397.\n\nThe Office of Management and Budget published Memorandum number 4 in FY2004\n(M-04-04) that describes the e-authentication analysis process. Assessment Teams use\nthe M-04-04 process to determine the level of authentication required for non-\norganizational (external) users, e.g. Designated Pilot Examiners. The IACRA system and\nthe Registry web applications authenticate external users. The FY2013 Assessment\nTeam completed independent assessments and determined that level 2 user identifier and\npasswords are appropriate and should be required. The FAA reviewed, and concurs with\nthe Assessment Team conclusion, that multi-factor authentication is not required for\nexternal users.\n\nRecommendation #6: Encrypt PII and mitigate the vulnerabilities on Registry\ncomputers. If controls cannot be implemented immediately then remove all PII or take\nother actions as appropriate, such as suspend the system\xe2\x80\x99s operation in accordance with\nFAA Order 1280.1B.\n\nResponse: Partial Concur. The FAA concurs with the OIG recommendation to mitigate\nthe vulnerabilities on the Registry computers. However, this remediation cannot be\n\n\nAppendix: Agency Response\n\x0c                                                                                       20\n\n\nperformed immediately. FAA Order 1280.1B, Protecting Personally Identifiable\nInformation (PII), does not require immediate implementation and thus the FAA will not\nsuspend operations. The Registry and IACRA systems will continue to operate while the\nFAA performs activities to mitigate the vulnerabilities.\n\nThe OIG confirmed the FY2012 Assessment Team patch management finding. In\nresponse to missing patches, the FY2013 Assessment Team updated POA&M item 38344\nfor the Registry and developed a new POA&M item for the IACRA system to address\nmissing security patches. The FAA concurs with the OIG conclusions and assessed these\nPOA&M items at a high risk level. Remediation is scheduled for completion by\nSeptember 30, 2013.\n\nAs the OIG noted in the findings, the Registry system contains several legacy\ncomponents, therefore, the FAA will not be able to encrypt all PII. In cases where\nencryption is not practical, the FAA will continue to implement strong access controls to\nPII in accordance with DOT Privacy Policy. The current access controls reduce risk to an\nacceptable level, in compliance with that same DOT Privacy Policy.\n\nIt is not practical to implement encryption in the mainframe portion of the Registry\nsystem as this component is being phased out. In addition, the image files cannot be\nencrypted because of the legacy application. However, the image files are stored with a\nproprietary wrapper and are not directly readable from storage. The sensitive data\nresiding in databases in the enterprise data center can be encrypted, and the FAA is\nreviewing potential solutions and plan to implement by December 31, 2013.\n\nRecommendation #7: Ensure that the FAA contractor\xe2\x80\x99s computers and other third-party\nsystems comply with information security controls required by FISMA and DOT policy.\n\nResponse: Concur. The FAA will add additional security controls to the next contract\nand Statement of Work (SOW) which goes into effect October 2013. Even though\nspecific security requirements were not listed in the contract, the security requirements\nwere vetted by the FAA\xe2\x80\x99s contracting office prior to awarding the contract. The current\nSOW requires periodic background checks on each individual with access to airman data\nand the contractor routinely provides background check results to the FAA.\n\nRecommendation #8: Mitigate contingency planning weaknesses by selecting an\nalternative processing site and periodically conducting comprehensive contingency tests\nat the alternate site in accordance with DOT policy.\n\nResponse: Concur. An alternate data center with demonstrated failover capability has\nbeen an identified vulnerability (POA&M item 48951). Due to competing priorities,\nslow progress has been made with a tentative date of September 30, 2014 to remediate\nthis vulnerability. The FAA plans system functionality testing at the FAA disaster\nrecovery site, the William J. Hughes Technical Center (WJHTC), Atlantic City, New\nJersey. This activity is dependent upon the Unisys upgrade to version 8.2 and the\n\n\n\nAppendix: Agency Response\n\x0c                                                                                         21\n\n\ninclusion of the ancillary servers on the replication platform. The FAA scheduled this\nitem to be completed by September 30, 2014.\n\nAlthough the FAA still needs to conduct functional testing at the alternative processing\nsite, the FAA has conducted several other contingency tests. The Registry has an\napproved Information Security Contingency Plan in place in which Registry data is\ntransferred to the WJHTC to provide an offsite storage location that is not subject to the\nsame hazards as the primary site. The FAA has successfully completed file recovery\nexercises of the data transferred to the WJHTC. Additionally;\n       1. The FAA participates in two exercises per year simulating the loss of the\n          mainframe component and also participates in the Mike Monroney\n          Aeronautical Center exercises to evaluate continuity of operations readiness in\n          a variety of scenarios.\n       2. Offsite backups and multiple levels of data protection are already in place.\n          However, providing an alternate datacenter with demonstrated failover\n          capability has been an identified vulnerability and the FAA plans to remediate\n          this vulnerability by September 30, 2014.\n       3. System functionality testing is scheduled to be done at the designated\n          Aviation Safety disaster recovery site at Atlantic City, New Jersey. This\n          activity is currently scheduled to be completed by September 30, 2014.\n\n\n\n\nAppendix: Agency Response\n\x0c'